<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-40350 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-40350/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 26 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-40350/feed.xml" rel="self" type="application/rss+xml"/><item><title>Movary Privilege Escalation via User Management Endpoint Access (CVE-2026-40350)</title><link>https://feed.craftedsignal.io/briefs/2024-01-26-movary-privesc/</link><pubDate>Fri, 26 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-26-movary-privesc/</guid><description>Movary versions prior to 0.71.1 are vulnerable to a privilege escalation, allowing authenticated non-admin users to access user management endpoints and create new administrator accounts due to missing middleware and flawed authorization checks.</description><content:encoded><![CDATA[<p>Movary, a self-hosted web application for tracking and rating movies, contains a privilege escalation vulnerability, identified as CVE-2026-40350, in versions prior to 0.71.1. This flaw allows any authenticated user, regardless of their assigned role, to access sensitive user management endpoints typically reserved for administrators. Specifically, an attacker can leverage the <code>/settings/users</code> endpoint to enumerate all existing users and create new administrator accounts. The root cause lies in the absence of proper admin-only middleware enforcement in the route definitions and a broken boolean condition within the controller-level authorization check. Successful exploitation grants the attacker complete administrative control over the Movary instance. The vulnerability was patched in version 0.71.1.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the Movary application by creating a standard user account or compromising an existing non-admin account using valid credentials.</li>
<li>The attacker authenticates to the Movary web application, establishing a valid web session.</li>
<li>The attacker crafts a malicious HTTP GET or POST request targeting the <code>/settings/users</code> endpoint, typically intended for administrator access.</li>
<li>Due to the missing admin-only middleware, the request is not blocked, and the application proceeds to process it.</li>
<li>The application's controller-level authorization check contains a flawed boolean condition that fails to properly restrict access based on user roles.</li>
<li>The application enumerates all existing users, exposing their usernames and potentially other details to the attacker.</li>
<li>The attacker crafts a new HTTP POST request to create a new user account, specifying administrator privileges.</li>
<li>The flawed authorization check allows the creation of the new administrator account, granting the attacker full control over the Movary instance.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-40350 allows an attacker to gain complete administrative control over a vulnerable Movary instance. This can lead to unauthorized data access, modification, or deletion, as well as the potential for further malicious activities, such as deploying backdoors or compromising the underlying server. The number of affected Movary installations is currently unknown. Organizations and individuals using Movary are urged to upgrade to version 0.71.1 immediately.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Movary installations to version 0.71.1 to remediate CVE-2026-40350.</li>
<li>Implement the provided Sigma rule &quot;Movary User Management Endpoint Access&quot; to detect unauthorized access attempts to <code>/settings/users</code> in web server logs.</li>
<li>Review web server access logs for suspicious activity targeting the <code>/settings/users</code> endpoint, especially requests from non-administrator users.</li>
<li>Enable stricter role-based access control mechanisms for web applications to prevent similar privilege escalation vulnerabilities.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cve-2026-40350</category><category>privilege-escalation</category><category>web-application</category></item></channel></rss>